In 1965, Paul Harvey aired “If I Were the Devil,” a monologue about how subtle neglect leads to chaos. He didn’t shout. He didn’t rage. He whispered the truth.
Today, I’m borrowing that framework to show you how I’d take down your business—not with brute force, but with the small cracks you’ve learned to live with.
So let’s flip the lens.
If I were a cybercriminal targeting your business, here’s how I’d win. Not just by stealing your data—but by disrupting your operations for 22 to 24 days. That’s the average ransomware downtime. And for many, it’s a death sentence.
You wouldn’t be a random hit. I’d pick you because small and mid-sized businesses are ideal targets.
I’d be looking for businesses like:
These are the kinds of businesses where a single point of failure becomes a system-wide disaster.
According to Accenture, 43% of cyberattacks target companies with fewer than 250 employees. Because you’ve got what I want—and fewer defenses than you think.
Forget brute force. I’d let AI carry the load.
AI-driven phishing tools can mimic your CEO’s tone, your vendors’ urgency, even your own writing style.
But I wouldn’t stop there—I’d study you.
I’d scan LinkedIn for leadership bios, employee titles, org charts, and reporting lines. I’d read your press releases, team bios, blog posts—anything public. That way, when I craft a phishing email or leave a voicemail, it sounds like it came from inside your organization.
“Push the wire through.” “Just upload this invoice so I can sign it.” “Here’s that file the CFO asked for—don’t share it.”
And with AI voice cloning tools like ElevenLabs, I could sound exactly like your CFO or project manager on a call or voicemail.
I’m not guessing—it’s working.
According to Arctic Wolf’s threat report, phishing is now used in 72% of ransomware and business email compromise attacks—up from 62% just a year earlier.
Why? Because it works. Especially when AI does the writing.
Just one call. One email. One voice. And I’m in.
It’s not always the firewalls that fail—it’s the stuff you forgot about.
But here’s what’s even better: Your cloud services.
I’d hunt for accounts no one uses anymore—marketing tools, project management apps, legacy cloud storage—and find the ones still active with admin access.
Even better? Forgotten credentials.
That consultant who helped set things up three years ago? That employee who left last quarter?
If you didn’t disable access, I’m walking through a wide-open door—and no one’s watching.
Cloud misconfigurations, orphaned permissions, and leftover access are gold for attackers. They don’t trigger alarms. They don’t look suspicious. And they often go untouched for months, even years.
IBM’s 2024 report shows 20% of breaches stem from physical and overlooked assets. You’ve protected your fortress—but your outposts are undefended.
This isn’t about watching your company suffer.
It’s about getting paid.
Disruption is how I make that happen.
If I steal your data, you might restore it. But if I paralyze your operations for 3 weeks while customers call, vendors rage, and deadlines slip—you’ll start doing the math.
At $10,000 an hour, you’re bleeding $240,000 a day—and over $5.6 million if I keep you down for the average 22–24 days. (That’s not a guess. It’s what the Ponemon Institute and IBM estimate in real-world breach cases.)
And that’s before legal costs, lost deals, compliance fines, or the customers who never come back.
Most businesses don’t.
According to Hiscox and the Ponemon Institute, 66% of small and mid-sized companies are out of business within six months of a major cyberattack.
Disruption is the weapon. The ransom is the goal. And you might pay just to make the pain stop—even if it doesn’t bring everything back.
You don’t need a million-dollar cybersecurity budget.
But you do need leadership-level commitment—because this is no longer just an IT issue.
Start here:
Because a $10K investment in security beats a $1M ransom and weeks of downtime.
If I were a cybercriminal, I wouldn’t come crashing through your front door.
I’d do what Paul Harvey warned about—let chaos slip in quietly.
No alarms. No noise. Just gaps in your process, ignored risks, and overworked teams. And before you realize it’s happening—your business is on fire.
I won’t lose sleep over your business. It’s not about anger. There’s no vendetta. It’s just business for me.
You’ll either invest in protection now… Or you’ll pay me to get it back.
Whether you’re running a clinic, a law office, a factory, a jobsite, or a public agency— you can’t afford 24 days offline.
Don’t let me turn your company into my next paycheck.
That’s what I would do if I were a cybercriminal.
I hope this made you stop and think.
Two out of three businesses that suffer a major cyberattack don’t survive six months. And fewer than 20% of small and midsize companies have ever completed a proper cyber risk assessment.
That’s the gap I would exploit—if I were a cybercriminal.
At NCX Group, we help business leaders close those gaps before they become front-page problems. No scare tactics. No jargon. Just practical steps to secure what matters.
Assess the Risks to Your Business on Your Own—Click here to get started: https://training.ncxgroup.com/risk
If it’s time to have that conversation, let’s talk.
📅 Schedule a quick call 🌐
If it’s been more than a year since your last cybersecurity assessment—or if you’ve never done one—now is the time.
👉 Schedule a Strategy Call with NCX Group
Repost from LinkedIn – https://www.linkedin.com/pulse/i-were-cybercriminal-mike-fitzpatrick-aw9ef/
